Duplicate continuity cookies cause requests to fail

[aeneasr]

As experienced multiple times by @amorevino and just captured by @sashatalalasha

Google callback request:

curl 'https://project.console.ory.sh/api/kratos/public/self-service/methods/oidc/callback/google?....' \
  -H 'authority: project.console.ory.sh' \
  -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'upgrade-insecure-requests: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' \
  -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'sec-fetch-site: cross-site' \
  -H 'sec-fetch-mode: navigate' \
  -H 'sec-fetch-user: ?1' \
  -H 'sec-fetch-dest: document' \
  -H 'referer: https://accounts.google.com/' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cookie: ory_kratos_continuity=1; __cfruid=eed8572e5941e594b11253131c2656bb86fe5533-1640599019; csrf_token_e9d6d5f4d737a26e1f7090a79427dd512f6=1=; __cflb=; sticky=; ory_kratos_continuity=2' \
  --compressed

Google callback response headers:

    :authority: project.console.ory.sh
    :method: GET
    :path: /api/kratos/public/self-service/methods/oidc/callback/google?state=...
    :scheme: https
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    accept-encoding: gzip, deflate, br
    accept-language: en-US,en;q=0.9
    cookie: ory_kratos_continuity=1; __cfruid=...-1640599019; ...=...=; __cflb=...; sticky=...; ory_kratos_continuity=2--VTVmGZlj1Iuziui62qXHY_p
    referer: https://accounts.google.com/
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "macOS"
    sec-fetch-dest: document
    sec-fetch-mode: navigate
    sec-fetch-site: cross-site
    sec-fetch-user: ?1
    upgrade-insecure-requests: 1
    user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

redirects to error page with error:

{
  "id": "c7235a89-b79b-4db0-aa7f-0b8c0d565581",
  "error": {
    "code": 400,
    "debug": "Resumable ID from cookie could not be found in the datastore: id=\nrid=\nerror=Unable to locate the resource\nreason=\ndetails=map[]\ndebug=\n\ngithub.com/ory/x/sqlcon.HandleError\n\t/go/pkg/mod/github.com/ory/[email protected]/sqlcon/error.go:68\ngithub.com/ory/kratos/persistence/sql.(*Persister).GetContinuitySession\n\t/go/pkg/mod/github.com/ory/[email protected]/persistence/sql/persister_continuity.go:28\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/go/pkg/mod/github.com/ory/[email protected]/continuity/manager_cookie.go:114\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/go/pkg/mod/github.com/ory/[email protected]/continuity/manager_cookie.go:64\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/oidc/strategy.go:253\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/oidc/strategy.go:297\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/handler.go:25\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/handler.go:30\ngithub.com/ory/kratos/x.NoCacheHandler.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/[email protected]/handler.go:212\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/handler.go:169\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/go/pkg/mod/github.com/ory/[email protected]/x/clean_url.go:12\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:108\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:30",
    "message": "session is not resumable",
    "reason": "No resumable session could be found in the HTTP Header.",
    "status": "Bad Request"
  },
  "created_at": "2022-01-07T13:26:09.432572Z",
  "updated_at": "2022-01-07T13:26:09.432572Z"
}

[aeneasr]

I was able to reproduce this by changing the cookie's signature to something else which means, probably, that the signature will cause a mismatch. In this case, I am consistently able to reproduce this issue.

[aeneasr]

This would then also explain why, when two cookies are given, and the first one is always a dud, the error does not go away on a retry. That is because the cookie is never updated when there is a cookie match, but a signature mismatch.